# Machine-Readable Carbanak Emulation Plan

The universal, technology-agnostic version of the Carbanak emulation plan YAML has been provided as starting point for machine parsing and execution of the Carbanak emulation plan. This folder will store all versions of this yaml file, including those formatted to work with specific execution runners (such as automated agents like CALDERA or other breach simulation frameworks).

As Scenario 2 uses almost the same content as Scenario 1, but packages it into independent objectives, the YAML contains procedures linked only to the steps from Scenario 1. A table has been provided below to link the procedures within the YAML to the specific Scenario 2 steps.

# Included Formats

As new files are added, please list them in the below table.

File	Execution Framework	Notes
Carbanak.yaml	N/A	Initial Emulation Plan YAML

# Skipped Procedures

A number of procedures within the emulation plan are not present within the YAML file. This is because these procedures integrate with external frameworks or involve interaction with a GUI, which cannot be simple expressed in an automatable format.

The table below lists the steps/procedures that were skipped along with the reason why.

Step/Procedure	Step Name/Technique	Reason
1	Initial Access	While the initial execution of the VBE payload can be automated, the payload requires the user to click 'OK' on a dialog box in order for the payload to complete successfully.
2.A	Local Discovery	This procedure involves sending the command `enum-system` to the RAT through the C2 channel.
2.B.2	T1041 - Exfiltration over C2 Channel	There is currently not a technology-agnostic standard to represent uploads of files back to the C2 server.
4.A.1	T1083 - File and Directory Discovery	This procedure uses a native meterpreter command, `ls`.
4.A.2	T1018 - Remote System Discovery	This procedure involves loading and running PowerView's `Get-NetComputer` command from memory.
4.A.3	T1110.003 - Brute Force: Password Spraying	This procedure involves loading and running PowerView's `Find-LocalAdminAccess` command from memory.
5.C.2	T1021.002 - Remote Services: SMB/Windows Admin Shares	This procedure uses PsExec functionality to mount an SMB share, which is not easily replicated.
6.A.2	T1087.002 - Account Discovery: Domain Account	This procedure involves loading and running PowerView's `Get-NetUser` command from memory.
7.A.2	T1021.001 - Remote Services: Remote Desktop Protocol	The lateral movement in this procedure uses RDP. GUI interaction is not supported.
7.B.2	T1021.001 - Remote Services: Remote Desktop Protocol	The lateral movement in this procedure uses RDP. GUI interaction is not supported.
8	Legitimate CFO Login	This step involves a legitimate user logging in and performing various actions.
9.A.2	T1113 - Screen Capture	This procedure uses metasploit's `screen_spy` module.
9.A.3	Legitimate CFO Activity	This procedure involves legitimate user activity.
10.A	Install VNC Persistence	All procedures within this substep require Metasploit's `runas` module.
10.B	Use VNC Persistence	All parts of this step involve GUI interaction.

# Procedures to Note

Certain procedures included in the YAML have been modified or have external dependencies that are not captured within the YAML file.

The table below captures these steps/procedures.

Step/Procedure	YAML Name	Note
3.B	Execute 2nd Stage RAT	An external C2 server needs to be configured to handle the callback from the Meterpreter payload.
5.B.1	SSH to bankfileserver	This procedure starts an SSH connection with `bankfileserver` from `hrmanager`. However, an agent is not placed on `bankfileserver`. In order to continue the scenario using the YAML, a new agent needs to be manually started from `bankfileserver`.
5.C.1	Lateral Movement to bankdc from bankfileserver	This procedure starts an interactive session with `bankdc` from `bankfileserver` using `psexec.py`. However, an agent is not placed on `bankdc`. In order to continue the scenario using the YAML, a new agent needs to be manually started from `bankdc`.
5.C.3	Upload and execute Tiny.exe on bankdc	An external C2 server needs to be configured to handle the callback from the Meterpreter payload.
7.C.1	Upload JavaUpdate.exe and Create JavaUpdate.vbs on CFO	JavaUpdate.vbs is not copied using SCP as the emulation plan dictates. Instead, it is downloaded using the automation system's default download mechanism.

# Scenario 2 Procedure Mapping

The procedures in the YAML are mapped directly to the steps in Scenario 1. The table below maps the procedures to the steps of Scenario 2.

Scenario 2 Step	`procedure_step`	procedure `id`
1	2.B.1	`453cb643-892b-475d-8db9-df61289749f1`
2	3.A 3.B	`e238f1b5-a4e7-464d-82eb-36d0cc875434` `50cf48b9-2076-4efc-80f1-5b8f421ecae4`
3	4.B	`473e5707-5786-4f53-934f-22175c1059b0`
4	5.C.3	`7e3a8de9-edb9-4df4-beef-9577c4562420`
5	9.A.1 9.A.4 9.B.1 9.B.2	`5f3f7045-ae92-4a3e-8b39-35e4f8cc3038` `8b2f52d8-40d8-4f70-bf9e-cb999d325958` `22ddbc4f-fb5d-4785-8bc8-373da2f3e176` `f3678315-cdbb-4579-b25d-f92783e5599b`